AI Management System Fundamentals & Related Standards
Deep dive into Annex SL structure, PDCA cycle, and related standards including ISO 22989, ISO 23894, ISO 38507, and integration with ISO 27001/9001.
Chapter Overview
This chapter explores foundational frameworks underpinning ISO 42001. Understanding Annex SL, the PDCA cycle, and related AI standards is essential for certification and implementation.
Annex SL: The Harmonized Structure
What is Annex SL?
Annex SL (formerly ISO Guide 83) is the mandatory framework for all ISO management system standards, providing common high-level structure, core text, and terminology.
Consistency: Same structure as ISO 27001, ISO 9001
Integration: Easy to combine with existing systems
Familiarity: Auditors leverage existing knowledge
Efficiency: Shared processes across systems
Annex SL Clause Structure
| Clause | Title | Core Requirement |
|---|---|---|
| 1 | Scope | Standard applicability |
| 2 | Normative References | Referenced documents |
| 3 | Terms and Definitions | Standardized terminology |
| 4 | Context of Organization | Internal/external issues, scope |
| 5 | Leadership | Commitment, policy, roles |
| 6 | Planning | Risks, opportunities, objectives |
| 7 | Support | Resources, competence, documentation |
| 8 | Operation | Operational planning and control |
| 9 | Performance Evaluation | Monitoring, audit, review |
| 10 | Improvement | Corrective action, continual improvement |
ISO 42001 Extensions to Annex SL
| Annex SL Clause | ISO 42001 AI-Specific Addition |
|---|---|
| Clause 6 | AI risk assessment (6.1.2), AI risk treatment (6.1.3) |
| Clause 8 | AI system impact assessment (8.4) |
| Annex A | 39 AI-specific controls |
| Annex B | AI control implementation guidance |
| Annex C | AI objectives and risk sources |
| Annex D | Sector-specific AI guidance |
The PDCA Cycle for AIMS
PLAN (Clauses 4-7): Context, policy, objectives, risk assessment, resources
DO (Clause 8): Implement controls, conduct impact assessments
CHECK (Clause 9): Monitor, measure, audit, management review
ACT (Clause 10): Address nonconformities, drive improvement
PLAN Phase
- Understand organizational context (4.1)
- Identify interested parties (4.2)
- Define AIMS scope (4.3)
- Establish AI policy (5.2)
- Conduct AI risk assessment (6.1.2)
- Set AI objectives (6.2)
- Plan resources (7.1, 7.2)
DO Phase
- Implement operational controls (8.1)
- Execute AI risk treatment (8.3)
- Conduct AI system impact assessments (8.4)
- Deploy Annex A controls
- Manage AI system lifecycle (A.6)
CHECK Phase
- Monitor AI system performance (9.1)
- Conduct internal audits (9.2)
- Perform management reviews (9.3)
- Evaluate control effectiveness
ACT Phase
- Address nonconformities (10.2)
- Implement corrective actions
- Identify improvement opportunities (10.1)
- Update risk assessments
Related AI Standards Ecosystem
ISO/IEC 22989: AI Concepts and Terminology
Purpose: Establishes common AI vocabulary
Artificial Intelligence: Capability of engineered system to acquire, process, and apply knowledge
AI System: Engineered system generating outputs like predictions, recommendations, decisions
Machine Learning: Process of optimizing model parameters through computational techniques
AI Lifecycle: Stages from conception to retirement
Relevance to ISO 42001: Normative reference for definitions, ensures consistent terminology, foundation for stakeholder communication.
ISO/IEC 23894: AI Risk Management
Purpose: Guidance on managing AI-specific risks
Relevance to ISO 42001: Informs Clause 6 requirements, supports AI risk assessment (6.1.2) and treatment (6.1.3), aligns with Annex C.
| Risk Category | Examples |
|---|---|
| Technical | Model accuracy, robustness, security |
| Data | Bias, quality, privacy, provenance |
| Operational | Reliability, maintainability, scalability |
| Ethical | Fairness, transparency, human agency |
| Societal | Employment impact, environmental effects |
| Legal | Regulatory violations, liability |
ISO/IEC 38507: Governance of AI
Purpose: Guidance for governing bodies on AI governance
Relevance to ISO 42001: Supports Clause 5 implementation, aligns with A.3, informs board-level AI oversight.
Human-centricity: AI benefits people and society
Transparency: Governance is transparent
Accountability: Clear responsibility for outcomes
Compliance: Adherence to laws and regulations
Fairness: Equitable treatment
Data governance: Proper data management
Standards Relationship Map
| Standard | Relationship to ISO 42001 |
|---|---|
| ISO 22989 | Provides terminology (normative reference) |
| ISO 23894 | Informs risk management approach |
| ISO 38507 | Guides governance implementation |
| ISO 27001 | Information security controls for AI |
| ISO 9001 | Quality management for AI processes |
| ISO 31000 | General risk management framework |
Integration with Existing Management Systems
Integration Benefits
- Common Processes: Document control, internal audit, management review
- Shared Resources: Competent personnel, audit programs
- Unified Governance: Integrated policy framework
- Efficiency: Reduced duplication, streamlined audits
ISO 42001 + ISO 27001 Integration
| ISO 42001 Element | ISO 27001 Equivalent | Integration Approach |
|---|---|---|
| AI Policy (5.2) | ISMS Policy (5.2) | Extend ISMS policy for AI |
| Risk Assessment (6.1.2) | Risk Assessment (6.1.2) | Unified methodology |
| Competence (7.2) | Competence (7.2) | Combined framework |
| Internal Audit (9.2) | Internal Audit (9.2) | Integrated program |
| Management Review (9.3) | Management Review (9.3) | Combined review |
AI-Specific Extensions Beyond ISO 27001
| ISO 42001 Unique | Why Not in ISO 27001 |
|---|---|
| AI Impact Assessment (8.4) | AI-specific societal impacts |
| A.5 Impact Controls | Beyond security scope |
| A.6 AI Lifecycle Controls | AI-specific development |
| A.7 Data Controls | AI data quality/provenance |
| A.8 Explainability Controls | AI transparency |
| A.9 Human Oversight | AI autonomy considerations |
1. Annex SL provides harmonized structure enabling integration
2. PDCA Cycle maps to clauses (Plan: 4-7, Do: 8, Check: 9, Act: 10)
3. ISO 22989 provides essential terminology
4. ISO 23894 informs AI risk management
5. ISO 38507 guides governance at board level
6. Integration with existing MS saves time and effort
• Know how PDCA maps to ISO 42001 clauses
• Understand which standard provides terminology (22989) vs. risk guidance (23894)
• Explain why AI-specific requirements extend beyond ISO 27001
• Remember Annex SL ensures consistent structure across ISO management systems